This comment is about the target web page in the link provided in the story. My browser (FireFox) locks up for 30 seconds when hitting that link. I lose control of the mouse pointer and buttons. This has happened on one or two other web pages over the past several months as well.

What causes this behavior? I can't even click outside of the browser window to get control back.

The Galaxy S3 (Android 4.1 + TouchWiz overlay - and I assume other Samsung phones do similar) doesn't put in a delay. But after four wrong attempts, it threatens that four more wrong attempts will cause it to wipe the phone clean. So this would actually be a robot for automatically wiping android phones.

The author of the linked article claims that it can grind through 'all 10,000 possible PINs' in 20 hours. The problem is that that is not the number of possible PINs - there is no reason to pick a 4-digit PIN on an Android phone. The PIN can be anything from 4-16 characters long.

My other phone, running Cyanogenmod 10.1 (Android 4.3), does put in a 30-second delay after five incorrect attempts. I guess this still only adds up to 15 hours when attempting all 10,000 4-digit PINs, though

I can't find the reference right now, but I believe the pattern unlock is actually quite a bit less safe than a PIN. The problem the article I'm remembering discussed is that the swipe pattern has FAR fewer choices for each value than a PIN. In a PIN, each digit has 10 choices and there are 10 choices for the next value in a pattern unlock. The article actually ran the numbers, but it intuitively makes a lot of sense.

I say password rather than pin, because it is not
limited to 4 characters and can include things besides
numbers -- e.g., letters and special characters. I don't
know what the maximum length is; mine is 8 characters
long.

As far back as a few months ago, pattern lock was less safe to use than a PIN. It can be bypassed without root privilege. Search for "bypassing android pattern lock". Basically you can delete the file containing this information through an adb command (USB connection to your computer, USB debug enabled on MD). Type

adb shell rm /data/system/gesture.key
Reboot the phone, unplug the cable, and you'r set. I have not verified that works on 4.3 ( or 4.2 for that matter)

Not all Android phones are open to this robot attack (I will not address the other listed attacks in the comments). At least some vendors enhance the standard OSS in this area. Before Motorola Mobility was acquired by Google, at least some phones (Cliq2 running 2.3.6) shipped from them with the following escalation:

5 wrong unlock trys started a 30 second lockout;
5 additional wrong unlock trys started another 30 second lockout; repeat until the wrong unlock try count hits ~25; then it forces you to use the google authorization linked to the device to unlock it.

JTAG is disabled on production units. If it's one of the items pen testers check for before singing off on the device. But booboos do happen once in a while. Also, some partitions are fully encrypted or partially encrypted. And the CPU has hardware protected keys...

This posting seems a little snarky, almost like a dig at Android in response to the rather more significant flaws found in Apple's Touch ID system. Out of the box vanilla Android devices can be secured with far longer PINs or alpha-numeric passcodes that would make this particular attack impractical.

What this really demonstrates is that short or simple PINs, passcodes, swipe patterns, etc. amplify any weaknesses in an authentication system. But at least the security conscious Android user has the option of using a long passcode, there currently is no way that an iPhone 5S user can strengthen Touch ID against compromise - other than perhaps extensive use of disposable gloves and cleaning cloths!

Yeah, I think the corps have screwed us. They don't care about security at all. I feel like I have to rethink all of the technology I come in contact with. These mobile phones have gotten way out of hand. (No pun intended. :P)

Wael: I can also confirm JTAG works on the N4 with the right hardware. Perhaps others won't be as lucky with different phones as the nexus were intended to be uh, mod friendly. I agree with you re encryption though - if the owner was to use the included dm-crypt based FDE you would be shit out of luck as far as making sense of the dumped data (well, except if you managed to steal the phone while it was running and do a colf boot RAM dump to grab the key, which has been successfully done on a Nexus with stock encryption enabled). Guess none of us here are silly enough to put anything remotely trusted on a mobile device, right? (I have a friend who keeps his PGP secret key ring on his phone so he can read encrypted emails on the run and I shudder every time he uses APG in front of me)

Thanks for saving me the time. I don't have access to a Lauterbach for a few weeks.

Guess none of us here are silly enough to put anything remotely trusted on a mobile device, right?

lol! I am sure your question is rhetoric!
I'm guilty of that! As they say,
The carpenter's door is broken,
Doctors are the worst patients, and
The shoemakers' kids run barefooted...
Security people...
Should make a limerick out of it, but @ Clive Robinson will complain.

Wael: I must admit I bricked my N4 (somehow corrupted the boot loader) and had to resort to JTAG. Sure you have to solder onto the header but it does work. Re security - I *try* and practice what I preach but my cell phone is somewhere that I draw the line at being undefendable and instead I don't trust it at all. I don't use full disk encryption as my cell is almost always switched on when I am out of the home or office and given how easy cold boot key retrieval is I didn't think it was worth the bother. Ditto with having a PIN/pattern lock. I store nothing worth stealing on the phone and don't use NFC based wallets etc. So it's really a risk minimization strategy. I do keep the android tor client installed though and have root so it can transparently proxy things through tor when browsing (not because I need anonymizing but because I don't - driving my cell phone casual web surfing through gives the snoops a bit more noise to the signal they are after)'... incidentally from what i have noticed it leaks DNS queries so be careful of Orbot. Although its a pain in the ass I printed my OPIE keys out on inkjet DIY business card paper (the A4 or legal sheets that perforate into a bunch of cards) twenty keys to a card (two sided ten to a side) and keep one card in my wallet for times I need remote ssh access. It works quite well and doesn't need any fobs or tokens like one commercial two factor solution that uses an Android or iPhone app.

My home computing opsec leaves a lot to be desired but that is in part due to other people's computers! My wife has an unpatched Win7 machine that seems to get owned every week. I have put it on a private VLAN to try and segregate it ;-)

Generating rhyme, like factoring primes
Needs more than just skill,
It requires some time.
In today's society that may just surprise
As everything's instant in a consumerist's eyes
But just as Bronte could not write Wuthering Heights in a day,
I suspect that nobody can quickly break 2048 bit RSA
Not even the NSA

Yep. I used to pick locks and crack safes for a living. There are kits to do the latter via servos and close contact transducer. Nothing fancy; try every combination until the lock opens. Thing is Group 2 locks are so poorly made that the 100 positions translates in reality to about 30.

Richard Feynman noted this in one of his autobiogs Surely You're Joking Mr. Feynman.

my cell phone is somewhere that I draw the line at being undefendable and instead I don't trust it at all.

With the likes of carrierIQ sitting on the phone, that's the right thing to do. Me? I gave up on privacy long ago...

The only way I know to have privacy is not to have a cell phone, bank accounts, social security numbers, grocery store loyalty cards, land line phones, drivers licenses, a car, an apartment... Just pay with cash if you can get a job;)
Basically you can't exist on paper. Would be a difficult life.

That didn't happen to me with the link, but the same/similar thing happens to me (browser disappearing, everything locking up, mouse unresponsive, etc.) virtually every time I go to LinkedIn. I have no idea what the cause is, I only know it's rather frustrating.

Wael: haha, yes in the words of Bob Dylan "I'm a poet, and I know it; hope I don't blow it"

Re my pseudonym, I am glad it makes you smile. That's sort of the intent. I used to have a giant plaster of paris statue of Pan (the great goat God of the Greeks) copulating with a shegoat on my desk until some douchebag in upper management said it was unprofessional and forced me to remove it. It sat in the break room until a female (christian fundamentalist) secretary took offense and it somehow just disappeared. Yes, she stole my goat statue! I also had a 3D printed BSD Daemon with a sausage covered in Windows logos on his trident that also went missing. No doubt it was the same person who kept stealing stationery.

Re phones it would be nice if someone with some security credibility could sit down and engineer an OS from the ground up for mobile devices that implements just enough functionality to be useful without being overbearing. I was fond of Symbian not because of its design or code quality but because of its philosophy. Guess in the current climate of having features as the primary driver of sales isn't conducive to rolling out a mature and well tested OS designed with security in mind. Hopefully this will change.

Re meatspace security. Illegals are very good at doing just that - living their whole lives "off the record". Unfortunately for most of us we are betrayed and inducted into the system as soon as we pop out of the womb. We get serialized (SSN#) and forensic data is collected. Perhaps I am being too paranoid but I expect that the heel prick test for phenylketonuria is also used for mass surveillance (in most states the cards are not destroyed and are archived). Add to this serialized medical implants, dental records, fingerprint collection at grade school under the guise of protecting your children from crime, etc.

fingerprint collection at grade school under the guise of protecting your children from crime, etc...

I think I stated once that our fingerprints are taken at birth. Seems that's a slightly inaccurate statement. They take the footprint instead. Fingerprints are not fully developed at birth, I'm told. Maybe in school they create the connection.

Re phones it would be nice if someone with some security credibility could sit down and engineer an OS from the ground up for mobile devices that implements just enough functionality to be useful without being overbearing. I was fond of Symbian not because of its design or code quality but because of its philosophy.

Unfortunately, technology isn't the only factor. Without saying more, the safest for the time being is buying a "trade" phone, and using something like AOSP on it. "Trade" phones are unlocked phones that are not subsidized by carriers - you buy them directly from the manufacturer, not from a carrier store. You'll also need to block FOTA functionality. I don't foresee this technique to be safe in the future either. Reason is, the modem firmware is not open source... @ RobertT had a different tactic mentioned somewhere in the not so deep bowls of this blog....

Wael: yeah, I believe the footprints are probably useless. The PKU heel prick cards however could definitely be used to create a DNA database of every person born in the USA since the late 70s. Devious idea hey?

Android will take up to 16 full ASCII characters (anything on the keyboard) for screen unlock. On Nexus devices (at least the GNex), there is an app that locks into the full dm-crypt engine and allows unlimited length for the pre-boot FDE password. On an encrypted device, Recovery can't see anything but read-only system files, without the FDE password. Removing all permissions from adb in /system/bin is wise as well.